Telehealth and HIPAA during the COVID-19 Nationwide Public Health Emergency

The Department of Health and Human Services’ Office for Civil Rights (“OCR”) publicized a Notification of Enforcement Discretion (“Notification”), which maintains that OCR will exercise enforcement discretion and waive potential penalties for noncompliance with HIPAA in the context of a covered health care provider conducting telehealth, on a good faith basis, by utilizing widely available (and non-public) communication applications during the COVID-19 nationwide public health emergency.

OCR’s discretion applies to telehealth provided to all patients, whether or not it is related to diagnosis and treatment related to COVID-19. Thus, health care providers can utilize their professional judgment to provide assessment and treatment of any patient, provided that such provision of telehealth is done in good faith.

Health care providers can utilize many non-public applications that are popular among patients but may generally be outside of the normal scope of telehealth modalities. For example, the Notification and the FAQ’s published by OCR refer to the following applications as ones that providers may utilize: Apple FaceTime, Facebook messenger video chat, Google Hangouts video, Skype, Whatsapp video chat, Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, and iMessage. Providers should still take all reasonable steps to make sure that privacy concerns are mitigated, and providers should not use any public facing communication applications, such as TikTok, Facebook Live, Twitch, Slack, and other similar applications.

OCR has also noted that it will not impose penalties against covered health care providers for lack of a HIPAA Business Associate Agreement with technology vendors during the course of the COVID-19 nationwide public health emergency, however, for further protection, providers should still seek out vendors that identify themselves as HIPAA compliant and that will enter into HIPAA Business Associate Agreements.